Ip_ban with docker and nginx reverse proxy

hajo62 · March 10, 2022, 10:40pm

I run my HA on docker and connect via a nginx reverse proxy, all on the same RPi.
When I now set ip_ban_enabled: true and do some failed logins, it’s always a docker IP 172.18.0.n which is banned. Even if I set a trusted_proxy, it’s the same:

http:
  # ssl_certificate: /etc/letsencrypt/fullchain.cer
  # ssl_key:         /etc/letsencrypt/mydomain.cer
  ip_ban_enabled: true
  login_attempts_threshold: 3
  use_x_forwarded_for: true
  trusted_proxies:
    - <Raspberry Pi IP>
    # - ::1
    - 172.18.0.0/24

Than I tried to set the path to the ssl key files. In the docs, it shows to use .pem files: My acme.sh produces fullchain.cer and mydomain.cer which looks like pem formated files:

-----BEGIN CERTIFICATE-----
MIIGtjCCBJ6gAwIBAgIQTUj1kmmFKvZ2ZhaF++eKATANBgkqhkiG9w0BAQwFADBL
MQswCQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NT
...
-----END CERTIFICATE-----

When I add the path to those files, the HA container starts but I can’t open the webUI.
Any hints what I am doing wrong?

tmjpugh · March 11, 2022, 5:20am

Nginx is reverse proxy and sends external traffic to HA

From HA perspective the connecting device is nginx server(the docker ip) not the external device ip

You need to set nginx config to basically add headers (or something similar… I forget) so that it properly passes external IP to HA

In nginx, it is the “proxy_set_header” stuff, specifically the “X-Forwarded-For $proxy_add_x_forwarded_for” that does this if I remember correct. Anyway, seems like a good time to review the nginx docs to better understand the lines below to gain better understanding of how it applies to your HA connection. Or just ignore all that and simple make sure your nginx config is correct and has stuff below

Doing this should fix the docker ip getting banned issue. Not sure where you were agoing with the ssl file stuff. Just assumed you thought it was related to ban issues but no, it’s wouldn’t cause the ban.

location / {
        proxy_pass http://127.0.0.1:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

hajo62 · March 11, 2022, 8:55am

I had to add the header stuff to my nginx.conf. Perfect. Thanks a lot!

PS: To all who happen to look in here.
Save energy i.e. by lowering the room temperatur by 1 degree!
This is the easiest way to harm Putin and his war of aggression.